Virgin America Stalled by Web Attack, Finally Starts Selling Tickets

After a prolonged and highly political fight to get off the ground, airline startup Virgin America finally began selling tickets last week.

But just as the low-cost carrier launched on July 19, its website was hit with what CIO Bill Maguire says was a distributed denial-of-service (DDoS) attack. “We had lots of activity and people hammering the site, which is exciting,” says Maguire. “But on some things there was a real slow response.” He says his team identified a specific pattern associated with SYN flood attacks. “It slowed us down for a little bit there,” Maguire says. “We quickly isolated it, corrected the slip and kept cranking right along.” During the slowdown, Virgin America’s call center, which it outsources to a provider of home-based agents called Arise, took up the slack, Maguire adds.

MORE ON Virgin America

Virgin America: Cheap Frills

Virgin America: Launch Delayed

Airlines Return to Profitability

Maguire describes the incident as a “blip” in an otherwise successful launch and wouldn’t do anything differently. “What it does prove is no matter how much you prepare-whether it’s functionality you’re developing for a website or anticipating something destructive, you do the best you can to anticipate every incident you might encounter-things happen,” says Maguire. “It’s Murphy’s law.”

Not everyone agrees.  “It just doesn’t sound good for a new airline that has fought for more than a year and a half to get the authority to fly,” says Henry Harteveldt, a travel industry analyst at Forrester Research who, like some others, wondered if the site indeed was hacked or if the airline just wasn’t prepared for the heavy customer load. “The fact that in 2007 an airline can start up-one with good management, good funding, experienced people who understand the important role e-commerce plays-and somehow the website could crash, whether it was hacked or not, shows that not all the i’s were dotted and not all the t’s were crossed.” Despite Virgin America’s claim that the website lethargy lasted only an hour, Harteveldt insists it was longer, and that the outsourced call center wasn’t equipped to scale up to meet increased demand.

Unfortunately for the nascent company, its approval to sell tickets from the Department of Transportation came on the condition that it get rid of CEO Fred Reid, whose status as an airline veteran helped get Virgin off the ground with investors. The DoT determined that Reid was too close to foreign investors (read: Richard Branson) and stated that the CEO must be replaced by November. U.S. law has prohibited foreign investors from owning 50 percent or more of an airline or more than 25 percent of its voting rights, and legacy carriers had launched a concerted lobbying effort to prove to the DoT that Virgin America somehow violated that law. (For more on the fight, see Virgin America Launch Delayed. “Virgin America has been a pawn in a political struggle that goes way beyond their ability to fly,” says Harteveldt. “Reid is a qualified executive. But Virgin America offered him up as a sacrificial lamb and the DoT called their bluff.”

Maguire doesn’t rule out the possibility that the DDoS attack could be part of the continued industry reluctance to welcome another player to the not-so-friendly skies. “It certainly could be, but there’s no way of knowing that. DDoS attacks are very clever and IP addresses are so easy to spoof, we could never trace it to any organization for sure,” says Maguire. “We’re just keeping a close eye on things for future.”

It wasn’t all bad news for Virgin America, though. “The good news is the website is good, it’s simple to use, and it merchandises product well,” says Harteveldt. That’s resulted in about 80 percent of Virgin America’s tickets being sold via the Web, says Maguire, which is good news for the cost-conscious company.

And its Linux-based in-flight entertainment (IFE) system, which includes such never-before-seen offerings as an in-flight chat program (SMS with a friend or the whole plane!), seat-back drink and food ordering, open-source games (including Doom) and premium TV offerings (old Twin Peaks episodes, anyone?), is getting rave reviews from the geek community. Of course, Maguire’s not counting any chickens until the inaugural flight on Aug. 8. He’s been taking short IFE test flights (up to Oregon, east to Reno, back to San Francisco) to work out the kinks. He knows how unforgiving those same rave reviewers will be if they take off and discover a bug in the system.

As for the rest of the in-flight experience, the USB and Ethernet ports that adorn each seat (two 1110-volt power outlets per row) will likely please the business traveler, a customer base the carrier would like to grow with its routes that will include daily flights between San Francisco and New York, San Francisco and Los Angeles, and New York and Los Angeles. There’s the in-cabin “mood lighting, which adjusts depending on the time of day. “Some people say it’s like stepping into a night club,” says Maguire.